[strongSwan] Help with apparent routing failure on AWS

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Sep 20 13:16:55 CEST 2019 

> office-netcube{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c319f8bf_i ce60b044_o

Use `tcpdump -n udp and port 4500`

Am 19.09.19 um 22:53 schrieb Doug Bell:
> I have created an AWS instance running StrongSwan on Ubuntu to facilitate an IPSec tunnel back to an OPNSense firewall.
> 
> AWS StrongSwan:
> Internal IP: 172.31.255.19
> External IP: 54.149.10.176
> Internal Network: 172.31.255.0/24 <http://172.31.255.0/24>
> (I am also trying to use / route another AWS subnet of 172.31.32.0/20 <http://172.31.32.0/20>)
> 
> OPNsense firewall:
> External IP: 112.199.95.138
> Internal Network: 192.168.11.0/24 <http://192.168.11.0/24>
> 
> I can get the tunnel to come up in what appears to be a correct fashion, but I cannot get any pings to go across the tunnel, regardless of source or destination.  From another machine on the same subnet I added a proper route and security group and I was able to see the ICMP echo requests come in on the VPN gateway, but looking at 'tcpdump esp' the traffic does not appear to be going over the tunnel..
> 
> 20:32:14.436042 IP 172.31.255.138 > 192.168.11.221 <http://192.168.11.221>: ICMP echo request, id 26635, seq 1, length 64
> 20:32:14.436077 IP 172.31.255.138 > 192.168.11.221 <http://192.168.11.221>: ICMP echo request, id 26635, seq 1, length 64
> 20:32:15.449498 IP 172.31.255.138 > 192.168.11.221 <http://192.168.11.221>: ICMP echo request, id 26635, seq 2, length 64
> 
> I am not running any IP masquerading as I need the hosts on the different endpoints able to recognize the proper source IPs.
> 
> Thank you for your assistance.
> 
> 
> Here are some diagnostics:
> 
> --ipsec.conf--
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
>     #charonstart=yes
> 
> # Add connections here.
> conn sts-base
>     fragmentation=yes
>     dpdaction=restart
>     keyingtries=%forever
>     leftid=172.31.255.19
>     leftsubnet=172.31.255.0/32,172.31.32.0/20 <http://172.31.255.0/32,172.31.32.0/20>
>     leftauth=psk
>     rightauth=psk
> 
> conn office-netcube
>     also=sts-base
>     mobike=no
>     keyexchange=ikev2
>     ike=aes128-sha256-modp3072
>     esp=aes128-sha256-modp3072
>     right=112.199.95.138
>     rightsubnet=192.168.11.0/24 <http://192.168.11.0/24>
>     installpolicy=yes
>     type=tunnel
>     auto=start
> --end configuration--
> 
> 
> # ipsec statusall
> Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1050-aws, x86_64):
>   uptime: 2 minutes, since Sep 19 19:44:35 2019
>   malloc: sbrk 2568192, mmap 0, used 643504, free 1924688
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
>   loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
> Listening IP addresses:
>   172.31.255.19
> Connections:
> office-netcube:  %any...112.199.95.138  IKEv2, dpddelay=30s
> office-netcube:   local:  [172.31.255.19] uses pre-shared key authentication
> office-netcube:   remote: [112.199.95.138] uses pre-shared key authentication
> office-netcube:   child:  172.31.255.0/32 <http://172.31.255.0/32> 172.31.32.0/20 <http://172.31.32.0/20> === 192.168.11.0/24 <http://192.168.11.0/24> TUNNEL, dpdaction=restart
> Routed Connections:
> office-netcube{2}:  ROUTED, TUNNEL, reqid 1
> office-netcube{2}:   172.31.32.0/20 <http://172.31.32.0/20> 172.31.255.0/32 <http://172.31.255.0/32> === 192.168.11.0/24 <http://192.168.11.0/24>
> Security Associations (1 up, 0 connecting):
> office-netcube[1]: ESTABLISHED 2 minutes ago, 172.31.255.19[172.31.255.19]...112.199.95.138[112.199.95.138]
> office-netcube[1]: IKEv2 SPIs: c2c2cd729e85a9f2_i* 92478c72f25bd4a8_r, pre-shared key reauthentication in 2 hours
> office-netcube[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
> office-netcube{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c319f8bf_i ce60b044_o
> office-netcube{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes
> office-netcube{1}:   172.31.32.0/20 <http://172.31.32.0/20> 172.31.255.0/32 <http://172.31.255.0/32> === 192.168.11.0/24 <http://192.168.11.0/24>
> 
> # ip addr list
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo
>        valid_lft forever preferred_lft forever
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
>     link/ether 06:07:f8:50:8b:96 brd ff:ff:ff:ff:ff:ff
>     inet 172.31.255.19/24 <http://172.31.255.19/24> brd 172.31.255.255 scope global dynamic ens5
>        valid_lft 3340sec preferred_lft 3340sec
>     inet6 fe80::407:f8ff:fe50:8b96/64 scope link
>        valid_lft forever preferred_lft forever
> 
> # ip route show table all
> default via 172.31.255.1 dev ens5 proto dhcp src 172.31.255.19 metric 100
> 172.31.255.0/24 <http://172.31.255.0/24> dev ens5 proto kernel scope link src 172.31.255.19
> 172.31.255.1 dev ens5 proto dhcp scope link src 172.31.255.19 metric 100
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
> local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto kernel scope host src 127.0.0.1
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
> broadcast 172.31.255.0 dev ens5 table local proto kernel scope link src 172.31.255.19
> local 172.31.255.19 dev ens5 table local proto kernel scope host src 172.31.255.19
> broadcast 172.31.255.255 dev ens5 table local proto kernel scope link src 172.31.255.19
> local ::1 dev lo proto kernel metric 256 pref medium
> fe80::/64 dev ens5 proto kernel metric 256 pref medium
> local ::1 dev lo table local proto kernel metric 0 pref medium
> local fe80::407:f8ff:fe50:8b96 dev ens5 table local proto kernel metric 0 pref medium
> ff00::/8 dev ens5 table local metric 256 pref medium
> 
> # ip xfrm policy show
> src 172.31.255.0/32 <http://172.31.255.0/32> dst 192.168.11.0/24 <http://192.168.11.0/24>
> dir out priority 371327
> tmpl src 172.31.255.19 dst 112.199.95.138
> proto esp spi 0xce60b044 reqid 1 mode tunnel
> src 192.168.11.0/24 <http://192.168.11.0/24> dst 172.31.255.0/32 <http://172.31.255.0/32>
> dir fwd priority 371327
> tmpl src 112.199.95.138 dst 172.31.255.19
> proto esp reqid 1 mode tunnel
> src 192.168.11.0/24 <http://192.168.11.0/24> dst 172.31.255.0/32 <http://172.31.255.0/32>
> dir in priority 371327
> tmpl src 112.199.95.138 dst 172.31.255.19
> proto esp reqid 1 mode tunnel
> src 172.31.32.0/20 <http://172.31.32.0/20> dst 192.168.11.0/24 <http://192.168.11.0/24>
> dir out priority 377471
> tmpl src 172.31.255.19 dst 112.199.95.138
> proto esp spi 0xce60b044 reqid 1 mode tunnel
> src 192.168.11.0/24 <http://192.168.11.0/24> dst 172.31.32.0/20 <http://172.31.32.0/20>
> dir fwd priority 377471
> tmpl src 112.199.95.138 dst 172.31.255.19
> proto esp reqid 1 mode tunnel
> src 192.168.11.0/24 <http://192.168.11.0/24> dst 172.31.32.0/20 <http://172.31.32.0/20>
> dir in priority 377471
> tmpl src 112.199.95.138 dst 172.31.255.19
> proto esp reqid 1 mode tunnel
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> socket in priority 0
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> socket out priority 0
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> socket in priority 0
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> socket out priority 0
> src ::/0 dst ::/0
> socket in priority 0
> src ::/0 dst ::/0
> socket out priority 0
> src ::/0 dst ::/0
> socket in priority 0
> src ::/0 dst ::/0
> socket out priority 0
> 
> # iptables-save
> # Generated by iptables-save v1.6.1 on Thu Sep 19 20:44:46 2019
> *filter
> :INPUT ACCEPT [2151:364680]
> :FORWARD ACCEPT [24:2016]
> :OUTPUT ACCEPT [2132:344479]
> COMMIT
> # Completed on Thu Sep 19 20:44:46 2019
> 
> # ip rule
> 0: from all lookup local
> 220: from all lookup 220
> 32766: from all lookup main
> 32767: from all lookup default
> 
> # egrep -v "(^$|#)" /etc/sysctl.conf
> net.ipv4.ip_forward=1
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.all.secure_redirects = 0
> net.ipv4.conf.default.accept_redirects = 0
> net.ipv4.conf.default.secure_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.send_redirects = 0
> net.ipv4.conf.ens5.send_redirects = 0
> net.ipv4.conf.all.accept_source_route = 0
> net.ipv4.conf.all.log_martians = 1
> net.ipv4.icmp_echo_ignore_broadcasts = 1
> net.ipv4.conf.default.accept_source_route = 0
> net.ipv4.icmp_ignore_bogus_error_responses = 1
> net.ipv4.tcp_syncookies = 1
> net.ipv4.conf.all.rp_filter = 1
> net.ipv4.conf.default.rp_filter = 1
> net.ipv4.tcp_mtu_probing = 1
> 
> -- 
> Doug Bell

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190920/794bf9df/attachment.sig>

More information about the Users mailing list